The law enforced by APRA came into force in July last year, and it aims to heighten accountability standards among ADIs and their senior executives and directors.

Advertisement

Advertisement

As Westpac’s alleged 23 million anti-money laundering breaches date back to 2013, it had been unclear if the law could be applied against the major bank.

But chairman Wayne Byres confirmed the potential use of BEAR against the bank in to the House of Representatives standing committee on economics on Monday morning.

He said the regulator was considering what the allegations mean for the prudential standing of Australia’s second-largest bank.

“While we must be careful not to duplicate or cut across matters for which AUSTRAC is the appropriate regulator, and which are before the courts, we are actively considering what further action by APRA is required,” Mr Byres told the House committee.

“This includes examining whether obligations under the Banking Executive Accountability Regime have been met, and how Westpac’s management of operational and compliance risks more broadly needs to be enhanced. As would be expected, we are ensuring we closely coordinate our activities with our fellow regulators – especially AUSTRAC and ASIC.”

Regulator unequipped for evolving technology

As cyber risks increase and attacks on financial institutions are more likely, Mr Byres said the regulator is becoming more conscious about its role in regulating “cyber hygiene.”

The watchdog has introduced a new prudential standard and has also pledged to deepen its cooperation with other government agencies to ensure it is aligned with the government’s cyber security strategy next year.

But My Byres admitted current regulations are not fully equipped to handle evolving technology.

“It also needs to be acknowledged that the current regulatory framework is not designed for clouds, ecosystems and partnership models,” he said.

“Not only do regulators need new skills, resources and partnerships, but possibly new powers to ensure that as critical functions and data move outside the regulatory perimeter, we are able to satisfy ourselves that the requisite level of safety and control remain in place.

“As we develop our supervision strategy, we will need to consider how best to tackle these issues.”